Hong Kong Privacy Commissioner for Personal Data publishes "New
Guidance on Direct Marketing"
February 2013
www.hoganlovells.com
"Hogan Lovells" or the "firm" is an international legal practice that includes Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses.
The word "partner" is used to describe a partner or member of Hogan Lovells International LLP, Hogan Lovells US LLP or any of their affiliated entities or any employee or consultant with equivalent standing.
Certain individuals, who are designated as partners, but who are not members of Hogan Lovells International LLP, do not hold qualifications equivalent to members.
For more information about Hogan Lovells, the partners and their qualifications, see www.hoganlovells.com.
Where case studies are included, results achieved do not guarantee similar outcomes for other clients. Attorney Advertising.
© Hogan Lovells 2013. All rights reserved.
As reported in our previous Newsflash (available here), the
Personal Data (Privacy) Amendment Ordinance (the
"Amendment Ordinance") was passed on 27 June 2012.
The Amendment Ordinance contains a number of new
provisions regulating the use of personal data in connection
with direct marketing activities, which tighten the regulation of
direct marketing activities in Hong Kong.
While most of the provisions in the Amendment Ordinance
have already been implemented, the provisions relating to
direct marketing are set to come into effect on 1 April 2013
(the "Commencement Date"). In order to provide guidance
for organisations on compliance with the new direct marketing
provisions, the Privacy Commissioner for Personal Data (the
"Commissioner") published a guidance note on 15 January
2013, titled "New Guidance on Direct Marketing" (the
"Guidance Note").
To a large extent the Guidance Note follows the
recommendations contained in the Direct Marketing Guidance
Note issued by the Commissioner in 2010 (and revised in
2012). There are a number of important differences, the most
significant of which relate to the consent and notification
requirements under the new direct marketing provisions. The
Amendment Ordinance requires organisations that collect
personal data ("data users") to communicate to individuals
from whom they collect such data ("data subjects") certain
information together with an opt-out facility before they use
such data for direct marketing. Further, in a change which is
set to affect the data collection practices of many data users
in Hong Kong, the Guidance Note makes it clear that consent
must be explicit and cannot be inferred from silence or
inaction on the part of the data subject.
We highlight below the major recommendations set out in the
Guidance Note, and discuss the implications for organisations
that conduct direct marketing in Hong Kong.
What constitutes direct marketing?
Not all marketing activities will fall under the definition of
"direct marketing". Marketing communications will only be
classified as "direct marketing" where they are addressed to a
specific person by name or where a phone call is made to a
specific person. Marketing activities such as door to door
sales, direct mail sent to the "householder" or cold calls to
unidentified individuals do not fall under the definition of
"direct marketing" and are not regulated under the Personal
Data (Privacy) Ordinance.
Notification requirements
Before using personal data for direct marketing purposes, the
Amendment Ordinance requires that data users provide the
following notification to the relevant data subjects:
(i) that the data user intends to use the data subject's
personal data for direct marketing purposes and that it
cannot do so without the data subject's consent;
(ii) the types of personal data they will use for direct
marketing purposes (e.g. name, phone number,
residential address, email address etc.); and
(iii) the categories of goods/services that will be marketed
(e.g. financial services, insurance services,
telecommunications services etc.).
Data users should avoid using vague and loose terms which
prevent the data subject from ascertaining the goods/services
to be marketed, or the classes of transferees, with a
reasonable degree of certainty. The Guidance Note makes it
clear that descriptions such as "retail services and products",
"all goods and services offered by X Company" or "goods and
services provided by X and its related parties, agents,
contracts and suppliers" would not be sufficiently specific so
as to satisfy the notification requirement.
While the Amendment Ordinance does not prescribe any
particular method for providing the necessary notification to
data subjects, it is usual practice for the notification to be
contained in a written Personal Information Collection
Statement ("PICS"). The Amendment Ordinance requires the
notification to be easily understandable and where the
notification is provided in writing, easily readable. Data users
should therefore ensure that the PICS is drafted in clear and
simple language, and is displayed in a manner which makes it
easy to identify and read (e.g. with clear headings, a
reasonable font size and not buried amongst other terms and
conditions).
While data users are only required to inform data subjects of
the above information before using their personal data for
direct marketing purposes, the Guidance Note recommends
data users send this notification to data subjects as early as
possible (ideally at the time of collection).
Provided that the personal data will not be transferred or sold
to a third party for direct marketing purposes, the notification
can be provided orally or in writing. Where a data user intends
to transfer/sell personal data to a third party for direct
marketing purposes, data users must provide data subjects
with written notification of:
(i) the data user's intention to transfer the data subject's
personal data for direct marketing purposes (and that it
cannot do so without consent);
(ii) the type of personal data to be transferred;
(iii) the classes of transferees;
(iv) the categories of goods and services that may be
marketed by the transferee(s); and
(v) their intention to sell the personal data or otherwise
transfer such data for gain (where applicable).
Data users must also provide a response facility through
which data subjects can indicate their consent (or otherwise)
to their personal data being used for direct marketing, e.g. a
tick box or website for data subjects to opt-out/in of direct
marketing, or a specific address or telephone number that
data subjects may use to opt-out (as discussed in more detail
in relation to consent below).
The existing requirement for data users to inform data
subjects of their right to withdraw consent when using
personal data for direct marketing for the first time has been
retained. Data users must therefore provide notification twice
– once before the data is used for direct marketing purposes,
and once when the data is used for such purposes for the first
time.
Consent
In addition to providing the requisite notification to data
subjects outlined above, data users must also obtain consent
(which includes an indication of no objection) from data
subjects before using personal data for direct marketing.
There was much uncertainty following the passing of the
Amendment Ordinance as to whether the consent required
would take the form of an opt-out or opt-in provision. The
Commissioner has made it clear in the Guidance Note that
consent cannot be implied by silence and an explicit indication
of consent/no objection must be obtained. For example,
consent would be obtained where a data subject does not tick
an opt-out box on a form that is signed and returned to the
data user, or where during a phone call, the data subject
states that he/she is interested in the products/services
offered and would like the data user to send further
information to an address. Consent would not be obtained
where a data user sends a notification and opt-out facility to a
data subject and does not receive a response for the data
subject.
Consent can either be given generally (i.e. for all direct
marketing activities), or selectively (i.e. only in relation to
marketing via one or more means or only particular categories
of personal information can be used). Although not
mandatory, the Guidance Note recommends that data users
design their response facility to allow data subjects to provide
selective consent.
Data users should avoid "bundled consent" (e.g. not including
a separate direct marketing opt-out/opt-in tick box, or
signature panel, so that data subjects are forced to choose
between giving up the goods/services offered, or agreeing to
the use of his/her personal data as prescribed by the data
user).
The form of the consent depends on whether the data user
intends to transfer/sell the personal data to a third party.
Consent can be obtained either orally or in writing if the data
user intends to use the personal data for its own direct
marketing purposes, but written consent must be obtained if
the data user intends to transfer/sell the personal data to a
third party for use by the third party for marketing purposes.
Where consent has been obtained orally, data users must
write to data subjects within 14 days of receiving such
consent to confirm:
(i) the timing of the consent;
(ii) the personal data that the consent relates to; and
(iii) the classes of goods/services that may be marketed.
Should the data user fail to deliver the written confirmation
(including where the written confirmation was returned
undelivered), the oral consent would not satisfy the
requirement for consent under the Amendment Ordinance.
While not a requirement under the Amendment Ordinance,
the Guidance Note recommends that data users include their
contact information in such confirmation, to enable the data
subject to dispute the confirmation, and wait for some time
(e.g. 14 days) to allow the data user to object before using
such data for direct marketing purposes.
Data users are only permitted to use the personal data in a
manner and for purposes as described in the notification.
Fresh consent must be obtained if the personal data is to be
used in a manner which is outside the scope of the original
notification/consent (e.g. where the data user intends to
market different goods/services).
Existing personal data – grandfathering arrangement
The notification and consent requirements for direct marketing
under the Amendment Ordinance do not operate on a
retrospective basis. Personal data collected before the
Commencement Date shall be exempt from these new direct
marketing requirements provided that:
(i) the data subject was explicitly informed (in an easily
understandable/easily readable manner) of the
intended use of his/her personal data for direct
marketing purposes for specific categories of
goods/services;
(ii) the data user will have used the data for such direct
marketing purposes before the Commencement Date;
(iii) the data subject has not withdrawn consent to such
use; and
(iv) the use is not in contravention of the existing
requirements under the Personal Data (Privacy)
Ordinance at the time of such use.
The burden of proof in establishing that the above
requirements have been met falls with the data user seeking
to rely on the grandfathering provision. It is therefore
important that appropriate evidence as to the satisfaction of
the requirements is retained by data users.
Data users should note the limitations of the grandfathering
arrangement as it only applies to the extent that existing data
is used to market the same class of goods/services following
the introduction of the Amendment Ordinance, and does not
apply where existing data is to be transferred/sold to a third
party. In addition, while the arrangement applies to minor
updates to existing personal data (such as updating the
residential address of a data subject), it is unlikely that it will
apply to more significant amendments (e.g. acquiring new
data when updating the data subject's customer profile).
Penalties
Breaches of the new direct marketing provisions attract
significantly higher penalties than those applicable before.
Maximum penalties of a HK$ 500,000 fine and 3 years'
imprisonment apply where the data user uses personal data
for its own direct marketing purposes, or transfers personal
data to a third party for direct marketing purposes, in
contravention of the new requirements. Where the data user
sells (or otherwise transfers for gain) the personal data to a
third party for direct marketing purposes in contravention of
the new requirements, the maximum penalty increases to a
HK$ 1,000,000 fine and 5 years' imprisonment. This
represents a significant increase from the maximum fine of
HK$ 10,000 applicable for breaches of the direct marketing
requirements, under the previous regime.
Implications for businesses
The new direct marketing requirements introduced by the
Amendment Ordinance will have serious implications for the
way in which data users in Hong Kong handle personal data
of customers when conducting direct marketing. Now that the
Commissioner has issued guidance setting out how his office
intends to interpret and enforce the new direct marketing
requirements, this is a good time for data users to review their
practices relating to direct marketing to ensure that they
comply with the new requirements (e.g. revising personal
information collection statements, forms used to collect
personal data and opt-out/opt-in facilities).
Data users should carefully review their practices and
consider whether the grandfathering arrangement would apply
to them. The grandfathering arrangement requires that data
subjects have been explicitly informed of the data user's
intention to use the data subjects' personal data for direct
marketing in relation to specific class(es) of goods/services.
On a strict reading of this requirement a notification stating
that the data subjects' personal data may be used for direct
marketing purposes (without specifying the categories of
goods/services to be marketed) would not satisfy this
requirement. There is also a requirement for the notification to
have been easily understandable, and if in writing easily
readable, which means that the grandfathering arrangement
may not apply where a Personal Information Collection
Statement has been provided in very small font or buried
amongst other terms and conditions. The Commissioner has
not issued any guidance in this respect and it remains to be
seen how these requirements will be applied in practice. If the
requirements are strictly interpreted, it is quite likely that many
data users in Hong Kong will not be able to rely on the
grandfathering arrangement and will be required to comply
with the new direct marketing requirements in respect of all
personal data (whether for new or existing clients/customers).
In order for data users to comply with the new requirements
for new clients/customers, they will need to ensure that the
forms used to collect personal data comply with the new
notification requirements (e.g. providing a PICS setting out the
information outlined above as well as an opt-out facility) and
that their direct marketing activities do not extend beyond the
scope of such notification/consent (e.g. that they do not
market different categories of goods and services, or continue
marketing to a data subject that has opted-out). Where a form
containing the necessary notification and an opt-out facility is
provided to a customer and the customer returns the form
without exercising his/her right to opt-out, the requirements
will have been complied with and the data user will be able to
use the personal data for direct marketing purposes as set out
in the notification.
The situation becomes more complicated when attempting to
comply with the new requirements for existing customers (e.g.
where the grandfathering arrangement does not apply). The
Guidance Note makes it clear that a positive indication of
consent/no objection is required and consent may not be
deemed from silence or inaction. This means that in order to
comply with the new requirements for existing data, data
users will need to send a notification and opt-out facility to
existing customers and may only use the personal data of
such customers if they receive a reply from the customer
indicating that they consent/do not object to such use. This
presents huge practical difficulties given that a large
percentage of existing customers are unlikely to respond,
which would potentially significantly reduce the data user's
marketing pool. Steps may be taken to increase the likelihood
of existing customers providing a response (e.g. providing a
pre-paid return envelope or some form of discount or
incentive for customers to reply), but such steps are unlikely
to be effective in all cases.
In the event that the grandfathering arrangement applies, data
users will have to implement and manage 2 systems for
handling personal data (1 for pre-existing data and 1 for new
data), which creates an administrative burden and may result
in confusion as to how a particular piece of personal data
should be treated. Marketing activities using pre-existing data
would have to be carefully monitored to ensure that no new
goods/services are marketed using such data without first
complying with the notification/consent requirements under
the Amendment Ordinance.
In order to minimise the risk associated with the
grandfathering arrangement, data users may wish to take
steps to comply with the new requirements for existing
customers so as to avoid having to rely on the grandfathering
arrangement (e.g. placing a notification/opt-out facility on all
forms sent to existing customers (e.g. change of details forms,
membership renewal forms etc.); and/or sending out a
notification/opt-out facility to existing customers along with a
pre-paid reply envelope and a discount for those customers
who respond).
It is expected that the Commissioner will pay close attention
to compliance with the new direct marketing requirements
following their implementation. Given this and the higher
penalties applicable to such requirements, data users should
take the time to review their direct marketing practices and
implement the necessary changes to ensure compliance with
the new requirements prior to the Commencement Date.
HOW WE CAN HELP
We advise clients on all aspects of data protection, in
particular with respect to data audits; the formulation of data
protection policies and collection statements; data protection
compliance; database and website compliance; data
interception; the centralisation and cross-border transfer of
personal data; data processing; marketing policies and
practices; data access requests; and the transfer of personal
data in corporate transactions. We regularly assist clients in
dealing with data protection complaints and with responses to
enquiries and investigations initiated by the Commissioner.
The new direct marketing requirements will impact all
companies which engage in direct marketing in Hong Kong.
For further information on how the new requirements will
affect your business, or if you require assistance with
evaluating your current practices and policies relating to data
collection and use or with the review of your personal
information collection statements, data transfer agreements or
other privacy related documents, please contact Gabriela
Kennedy:
Contacts
William Fisher, Partner
+86 21 6122 3850
Henry Wheare, Partner
+852 2840 5087
Deanna Wong, Partner
(Beijing & Hong Kong)
+86 10 6582 9419/ +852 2840 5021
Rae Yan, Partner
+86 10 6582 9528
Feng Zhen, Partner
+86 21 6122 3826
Georgia Chiu, Counsel
T +86 21 6122 3828
Andrew Cobden, Consultant
+852 2840 5028
